PoC Exploit Released for Windows Server Update Services Remote Code Execution Vulnerability
A proof-of-concept (PoC) exploit has been released for a critical vulnerability in Microsoft’s Windows Server Update Services (WSUS), enabling unauthenticated attackers to execute remote code with SYSTEM privileges on affected servers. Dubbed CVE-2025-59287 and assigned a CVSS v3.1 score of 9.8, the flaw stems from unsafe deserialization of untrusted data in WSUS’s AuthorizationCookie handling. Disclosed as part of Microsoft’s October 2025 Patch Tuesday, this vulnerability poses severe risks to enterprise update infrastructures, potentially allowing widespread compromise.
At its core, CVE-2025-59287 exploits a deserialization issue in the EncryptionHelper.DecryptData() method. Incoming cookie data, encrypted with AES-128-CBC, is decrypted and then passed directly to .NET’s BinaryFormatter for deserialization. This legacy serializer lacks type restrictions, allowing attackers to craft malicious payloads that trigger arbitrary code execution upon processing. Microsoft classified the flaw as “Exploitation More Likely,” highlighting its wormable potential across networked WSUS servers.
The exploit begins with an unauthenticated HTTP POST request to the WSUS ClientWebService endpoint on port 8530. Attackers send a SOAP envelope containing a tampered AuthorizationCookie with a PlugInId of “SimpleTargeting” and encrypted payload data. The server decrypts the cookie using a hardcoded key (“877C14E433638145AD21BD0C17393071”), strips the IV block, and deserializes the result via BinaryFormatter.
A publicly available PoC, shared by researcher “hawktrace” on GitHub, demonstrates payload generation in C#. It serializes a malicious delegate to launch “calc.exe” or similar commands, encrypts it without padding, and outputs a Base64-encoded string for the SOAP request. The trace reveals the call chain from Client.GetCookie() through AuthorizationManager to DecryptData(), where the deserialization occurs under SYSTEM context. No user interaction is needed, making it highly dangerous for exposed WSUS instances.
To read the complete article see: